Security fix: avoid arbitrary code execution with 'm4 -F'.

* src/freeze.c (produce_frozen_state): Never pass raw file name as
printf format.
* NEWS: Document this fix.

Signed-off-by: Eric Blake <ebb9@byu.net>

3 files changed, 11 insertions, 3 deletions

diff --git a/ChangeLog b/ChangeLog
index 4179e81b..4d8ec23c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2007-11-22  Eric Blake  <ebb9@byu.net>
+
+	Security fix: avoid arbitrary code execution with 'm4 -F'.
+	* src/freeze.c (produce_frozen_state): Never pass raw file name as
+	printf format.
+	* NEWS: Document this fix.
+
 2007-11-21  Eric Blake  <ebb9@byu.net>
 
 	Consistently report macro name first in messages.
diff --git a/NEWS b/NEWS
index d988adf3..17625719 100644
--- a/NEWS
+++ b/NEWS
@@ -4,8 +4,9 @@ Foundation, Inc.
 
 Version 1.4.11 - ?? ??? 2007, by ????  (git version 1.4.10a-*)
 
-* Fix core dump in 'm4 -F file -t undefined', present since -F was
-  introduced in 1.3.
+* Security fixes for the -F option, for bugs present since -F was
+  introduced in 1.3: Avoid core dump with 'm4 -F file -t undefined', and
+  avoid arbitrary code execution with certain file names.
 * Fix regression introduced in 1.4.9b in the `divert' builtin when more
   than 512 kibibytes are saved in diversions on platforms like NetBSD where
   fopen(name,"a+") seeks to the end of the file.
diff --git a/src/freeze.c b/src/freeze.c
index 2858e64d..df68f3ad 100644
--- a/src/freeze.c
+++ b/src/freeze.c
@@ -58,7 +58,7 @@ produce_frozen_state (const char *name)
 
   if (file = fopen (name, O_BINARY ? "wb" : "w"), !file)
     {
-      M4ERROR ((warning_status, errno, name));
+      M4ERROR ((warning_status, errno, "%s", name));
       return;
     }